RE: [FreeBSD] PF Yardım

Fri, 27 Jan 2006 05:33:55 -0800

Merhaba;

 

Lan normal bir şekilde internete bağlanmasına rağmen dmz isp2 den cıkartamadım... Yazmış olduğunuz rullara görede bir deneme yapacağım. İlginiz için teşekkürler

 

From: Huzeyfe Onal [mailto:[EMAIL PROTECTED]
Sent: Thursday, January 26, 2006 8:00 PM
To: freebsd@lists.enderunix.org
Subject: Re: [FreeBSD] PF Yardım

 

Merhaba,

calismayan tam olarak ney? istediginiz kullanicilarin istediginiz hattan cikamamasi mi. block ve pass satirlarina log(all) ekleyerek loglardan problemi daha rahat anlayabilirsiniz.

Ek olarak yazilan kurallar cok karmasik, bu yapi icin birbirini ezecek kurallar var..

Asagidaki kurallari suan benzer sekilde calisan bir FW'dan basitlestirerek aldim;

ext_if1="xl0"

ext_if2="r10"

int_if="fxp0"

ext_gw1="1.1.1."

ext_gw2="
2.2.3.1"


 



memur="{...}"

mudur="{....}"

nat  on $ext_if1 from $ic_ag -> ($ext_if1:0)

nat  on $ext_if2 from $ic_ag -> ($ext_if2:0)



... 



pass out on $ext_if1 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any keep state





pass out on $ext_if2 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any keep state



pass in on $int_if   route-to  ($ext_if1 $ext_gw1)   proto {tcp udp icmp} from $memur to any flags S/SA keep state




pass in on $int_if   route-to { ($ext_if2 $ext_gw2) }  proto {tcp udp icmp} from $mudur to any flags S/SA keep state



....






26.01.2006 tarihinde T.Tuncay
Hebu <[EMAIL PROTECTED]>
yazmış:






Slm;



 



Aşağıdaki
gibi bir yapı oluşturmaya çalışıyorum. Nerde yanlış yaptığım hakkında yardımcı
olursanız sevinirim.



 



Teşekkürler



 



 



                                  
  |--(fxp0)------------- ISP1  



LAN
----------- (xl0)—FW---|



                       
       | 
    |--(fxp1)------------- ISP2



                       
       |



                       
     (fxp2)



                       
       |



                       
       |



                       
       |



                       
       |



                       
      DMZ



 



1.LAN
- ISP1 DEN



2.DMZ
- ISP2 DEN INTERNETE BAGLANMASINI İSTIYORUM.



 



 



GECICI
OLARAK HAZIRLADIGIM TEST ORTAMINDAKI OPENBSD 3.8'IN



PF.CONF
ICERIGI ASAGIDAKI GIBIDIR.



 



##########################################



ext_if1="fxp0"



ext_gw1="10.10.10.1" 



ext_if2="fxp1"



ext_gw2="10.20.20.1" 



int_if1="xl0"



int_if2="fxp2"



lan_net="192.168.1.0/24" 



dmz_net="192.168.2.0/24" 



 



nat
on $ext_if1 from $lan_net to any -> ($ext_if1)



nat
on $ext_if2 from $dmz_net to any -> ($ext_if2)



 



block
in from any to any



block
out from any to any



 



pass
out on $int_if1 from any to $lan_net



pass
in quick on $int_if1 from $lan_net to $int_if1



 



pass
out on $int_if2 from any to $dmz_net



pass
in quick on $int_if2 from $dmz_net to $int_if2



 



pass
in  on $int_if1 route-to ($ext_if1 $ext_gw1) \



 proto
tcp from $lan_net to any flags S/SA modulate state



pass
in  on $int_if1 route-to ($ext_if1 $ext_gw1) \



 proto
{ udp, icmp } from $lan_net to any keep state



 



pass
in  on $int_if2 route-to ($ext_if2 $ext_gw2) \



 proto
tcp from $dmz_net to any flags S/SA modulate state



pass
in  on $int_if2 route-to ($ext_if2 $ext_gw2) \



 proto
{ udp, icmp } from $dmz_net to any keep state



 



pass
out on $ext_if1 proto tcp from any to any flags S/SA modulate state



pass
out on $ext_if1 proto { udp, icmp } from any to any keep state



pass
out on $ext_if2 proto tcp from any to any flags S/SA modulate state



pass
out on $ext_if2 proto { udp, icmp } from any to any keep state



 



pass
out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any 



pass
out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any 



 



###########################



 



fxp0:
flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500



       
lladdr 00:0e:0c:76:f7:28



       
groups: egress 



       
media: Ethernet autoselect (100baseTX full-duplex)



       
status: active



       
inet 10.10.10.13 netmask
0xffffff00 broadcast 10.10.10.255



       
inet6 fe80::20e:cff:fe76:f728%fxp0 prefixlen 64 scopeid 0x1



fxp1:
flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500



       
lladdr 00:0e:0c:76:f7:29



       
media: Ethernet autoselect (100baseTX full-duplex)



       
status: active



       
inet 10.20.20.10 netmask
0xffffff00 broadcast 10.20.20.255



       
inet6 fe80::20e:cff:fe76:f729%fxp1 prefixlen 64 scopeid 0x2



xl0:
flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500



       
lladdr 00:04:76:0b:27:de



       
media: Ethernet autoselect (none)



       
status: no carrier



       
inet 192.168.1.1 netmask
0xffffff00 broadcast 192.168.1.255



       
inet6 fe80::204:76ff:fe0b:27de%xl0 prefixlen 64 scopeid 0x3



fxp2:
flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500



       
lladdr 00:a0:c9:43:26:45



       
media: Ethernet autoselect (10baseT)



       
status: active



       
inet 192.168.2.1 netmask
0xffffff00 broadcast 192.168.2.255



       
inet6 fe80::2a0:c9ff:fe43:2645%fxp2 prefixlen 64 scopeid 0x4
          















-- 

Huzeyfe ÖNAL  

---

First Turkish Qmail book is out! Go check it.

Duydunuz mu! Turkiye'nin ilk Qmail kitabi cikti.

http://www.acikakademi.com/catalog/qmail/

Cevap